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Recap on network layers and protocols 


In this chapter we are going to have a look at the foundational basics of 
communication protocols used in networks like the internet. The knowledge we 
gain here will later be used to manually create network packets and send them to 
other hosts on our network. In case you are very familiar with the TCP/IP 
network layer, protocols and three-way handshake you can skip this first part 
and dive directly into the analysis of raw TCP/IP packets. 


Networking models 


For the communication between two hosts in the internet, a layered networking 
model is used. There exists a vast amount of networking models and depending on 
where you came into contact with them first, you might know one or more of them 
with different numbers of vertical layers. The number of vertical layers range from 
anywhere between three (Arpanet Reference Model) and seven (OSI model). 


For this series we are going to use the five layered model from Andrew Tanenbaum: 


5 Application 
4 Transport 
3 Internet 

2 Data link 

1 Physical 


When data is transmitted from one host to another, the data is handed downwards 
from the uppermost layer to the bottom layer of the sending host. At each level, the 
current layer adds its own header (or trailer) and hands it further downwards. This 
process is also called encapsulation. 
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At the bottom layer the data is transmitted to the receiving host, which then does 
the same process in reverse. Handing the received transmission from the bottom 
to the top with each layer removing their header (or trailer). 


Data to be transmitted from Ato B 
HostA 


HTTP 
4 Application 
DNS 
Ethernet, 
DSL 
00:00 00:30 


For our use cases in this series, the layers 3 (Internet) and 4 (Transport) will be the 
most relevant ones. Therefore, we will have a look at two of the most prominent 
protocols in these layers. 


Internet Protocol (IP) 


The Internet Protocol (IP) is the principal communication protocol for the internet 
as we know it today. Its purpose is delivering packets from the source host to the 
destination host based on the IP addresses in the packet headers. It is a 
connectionless protocol meaning that errors such as data corruption, packet loss 
or duplication might occur. Packets of connectionless protocols are also called 
datagrams. The Internet Protocol exists in two versions, IP Version 4 (IPv4) and IP 
Version 6 (IPv6). 


The following table shows the basic format of an IPv4 header: 


oO 
D 
co 


16 31 
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Data (var.) 


Version (4 bits): 
Indicates the protocol version, e.g. IPv4 or IPv6 
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IHL (4 bits): 

The IP Header Length is the length of the header in 32 bit words. The minimum 
value is 5 words (in case no options are set), the maximum 15. Therefore, the 
maximum header length is 60 bytes [32bit * 15 = 480bit == 60 bytes], the minimal 
length is 20 bytes. 


Type of Service (8 bits): 

Also known as Differentiated Services, it is used for quality of service. The first 6 bit 
are the Differentiated Services Code Point (DSCP), the last 2 bits are the Explicit 
Congestion Notification (ECN) used to notify the receiver in case of network 
congestion. 


Total Length (16 bits): 
Indicates the total length of the packet in bytes. The maximum length of a packet is 
65 535 Bytes. 
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Identification (16 bits): 
All fragments of a packet have the same identification number, aiding the receiver 


to assemble fragmented packets. 


Flags (3 bits): 

The first bit is unused. The two other bits are the DF (Don't Fragment) and the MF 
(More Fragments) bits. The DF indicates to router to not fragment the packet. The 
MF flag signals, that more fragments are about to come. All fragments, except the 
last one, have this bit set, indicating that the last fragment was received. 


Fragment Offset (13 bits): 
This field indicates where in the packet this fragment belongs. Together with the 
values of Identification and MF this ensures the reassembling of fragmented 


packets. 
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Time to Live (8 bits): 

This field is a counter which limits the lifetime of a packet and is decreased by 
every router on the packet’s way. When it hits zero, the router will discard the 
packet and send a ICMP error message to the sender. 


Protocol (8 bits): 
This field indicates the next level protocol used in the data portion of the packet. 
For example TCP would be value 6, UDP value 17. 


Header Checksum (16 bits): 

A checksum on the header only. Since some header fields change (e.g., time to live), 
this is recomputed and verified at each point (e.g. router) that the internet header 
is processed. 


Source Address (32 bits): 
The source IP address. 
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Destination Address (32 bits): 
The destination IP address. 


Options (variable): 
The options field is optional and seldomly used. In case it is used, it’s value must be 
padded with zeros to a multiple of 32 bits because of the IHL. 


Data (variable): 
This field contains the payload of the packet. The data is not part of the header, and 
therefore not included in the Header Checksum. 


Transmission Control Protocol (TCP) 


Together with the internet layer, the transport layer is responsible for many 
internet applications like the World Wide Web. The transport layer provides 
applications a logical host-to-host connectivity hiding complexity from 
applications by presenting them an abstraction of the network connection, e.g. 
through a network socket. The Transmission Control Protocol (TCP) we are going 
to look at here is a reliable, ordered and error-checked protocol. It provides 
mechanisms for connection establishment/termination, reliable transmission, 
error detection, flow/congestion control, and more. In contrast to that, the User 
Datagram Protocol (UDP), another popular transport layer protocol, is 
connectionless and unreliable, however, faster than TCP. 


The following table shows the basic format of a TCP header (used together with 
IPv4): 


Source Port Destination Port 


Sequence Number 


7o0f15 7/2/24, 11:52 


TCP/IP packets - 1 Recap on network layers and protocol... 


8 of 15 


Data (var.) 


Source Port (16 bits): 
The number or the source port. 0-1023 are ‘well known ports’, 1024-49151 are 
‘registered ports, 49152-65535 are ‘dynamic ports’ 


Destination Port (16 bits): 
The receiving port number. 


Sequence Number (32 bits): 

The sequence number is the first data byte in this segment. In case the SYN flag is 
set, the sequence number is the initial sequence number (ISN) and the first data 
byte is ISN+1. 


Acknowledgement Number (32 bits): 
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If the ACK flag is set, this field contains the value of the next sequence number the 
sender of the segment is expecting to receive. 


Data Offset (4 bits): 

Indicates the size of the TCP header in 32-bit words. The minimum value is 5 
words, the maximum 15. Therefore, the maximum header length is 60 bytes [32bit * 
15 = 480bit == 60 bytes], the minimal length is 20 bytes. The field is also the offset 
from the start of the TCP segment to the actual data. 


9 of 15 7/2/24, 11:52 


TCP/IP packets - 1 Recap on network layers and protocol... https://inc0Ox0.com/tcp-ip-packets-introduction/tcp-ip-pa... 


Reserved (3 bits): 
Reserved for future usage, must be set to 0. 
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Flags (9 bits): 


NS 


CWR 


ECE 


URG 


ACK 


PSH 


RST 


SYN 


FIN 


experimental: ECN - concealment 
protection 


Congestion Window Reduced; used for 
the congestion control mechanism 


ECN-Echo; used for the congestion 
control mechanism 


Indicates that the Urgent Pointer field 
is significant 


Indicates that the Acknowledgement 
field is significant 


Asks to push the buffered data to the 
receiving application and not wait for 
the buffer to be filled 


Reset the connection 
Synchronize sequence numbers 


No more data from sender 
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Window Size (16 bits): 
Used for flow control and window scaling. Allowing the sender to signalize the 
number of window size units he is currently willing to receive. 
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Checksum (16 bits): 

This field is for error detection. Therefore, header, payload and a pseudo-header 
(consisting out of: Source IP address, Destination IP address, protocol number and 
total length of the packet) are used. 


Urgent Pointer (16 bits): 
If the URG flag is set, the urgent pointer points to the sequence number of the byte 
following the urgent data. 


Options (variable): 
The options field is optional and can be used for example for signaling maximum 
segment size, timestamps and more. In case it is used, it’s value must be padded 
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with zeros to a multiple of 32 bits. 


Data (variable): 
This field contains the payload of the packet. The data is not part of the header. 


Connection Establishment 


TCP uses a three-way handshake in order to establish a connection. Let’s assume 
that host A wants to connect to host B: 


HostA Host B 


Seq-No = X 


SYN, ACK 
Seq-No = Y 
Ack-No = X+1 


< ACK 
Seq-No = X+ 1 
AckNo = Y+1 = 


1. SYN: Host A send a [SYN] to host B with a random value as sequence 
number X. 
2. SYN-ACK: Host B replies on this connection attempt by sending a 
[SYN ACK] . The sequence number Y is randomly chosen by host B. The 
acknowledgement number is the received sequence number increased by 
one i.e. X+. 
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3. ACK: Host A send an [ACK] to host B. The sequence number is the 
previously received acknowledgement number X+. The new 
acknowledgement number is the received sequence number increased by 
one ie. Y+. 


At this point, the connection between the hosts is established as both of them 
received an acknowledgement of the connection. 
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